Changes for page Allgemeine Sicherheitsempfehlungen

From 1.37 to 1.38 From 2.1 to 3.1

From version 1.38

edited by gru
on 15.12.2021, 19:10

Change comment: There is no comment for this version

To version 2.1

edited by nlo
on 20.12.2021, 18:30

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (2 modified, 0 added, 0 removed)

Details

Page properties

Author

@@ -1,1 +1,1 @@
--XWiki.gru
++XWiki.nlo

Content

@@ -2,6 +2,7 @@
  The {{formcycle/}} Versions 7.0.0 through 7.0.6 use a version of Log4j that contains the [[CVE-2021-44228>>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]] vulnerability disclosed on 12/10/2021.
  The {{formcycle/}} versions 7.0.0 through 7.0.7 use a version of Log4j that contains the [[CVE-2021-45046>>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046]] vulnerability disclosed on 12/14/2021.
++The {{formcycle/}} versions 7.0.0 through 7.0.8 use a version of Log4j that contains the [[CVE-2021-45105>>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105]] vulnerability disclosed on 12/18/2021.
  Currently, we are not aware of any scenario where these vulnerabilities in {{formcycle/}} can be exploited. **We still recommend to upgrade to {{formcycle/}} [[Version 7.0.8>>doc:Blog.FORMCYCLE 708.WebHome]], which uses a new version of Log4j that no longer contains these vulnerabilities.**
  {{/info}}
@@ -8,7 +8,7 @@
  {{info}}
--For installations where upgrading to the latest {{formcycle/}} version is not possible, we recommend implementing the [[vendor>>https://logging.apache.org/log4j/2.x/security.html]] recommended mitigation for __CVE-2021-44228__. For the Log4j version used by the potentially affected {{formcycle/}} versions this means setting the {{code language="none"}}-Dlog4j2.formatMsgNoLookups=true{{/code}} option in the Java options for the servlet container which is used to run {{formcycle/}}.
++For installations where upgrading to the latest {{formcycle/}} version is not possible, we recommend implementing the [[vendor>>https://logging.apache.org/log4j/2.x/security.html]] recommended mitigation for __CVE-2021-44228__. For the Log4j version used by the potentially affected {{formcycle/}} versions this means setting the {{code language="none"}}-Dlog4j2.formatMsgNoLookups=true{{/code}} option in the Java options for the servlet container used.
  For example, for an Apache Tomcat running on Windows, this can be done in //Tomcat Monitor// at the following location:
  [[image:tomcat_log4j_settings.png||width="350"]]
@@ -18,7 +18,7 @@
  When using servlet containers other than Apache Tomcat, please consult the documentation for that servlet container for the location at which this parameter can be passed.
--If an upgrade to the latest {{formcycle/}} version is not possible, mitigation of __CVE-2021-45046__ is only necessary if logpatterns containing [[affected configurations>>https://logging.apache.org/log4j/2.x/security.html]] have been manually configured. In this case, the corresponding patterns should be removed.
++If an upgrade to the latest {{formcycle/}} version is not possible, mitigation of __CVE-2021-45046__ & __CVE-2021-45105__ is only necessary if logpatterns containing [[affected configurations>>https://logging.apache.org/log4j/2.x/security.html]] have been manually configured. In this case, the corresponding patterns should be removed.
  {{/info}}
  {{content/}}